Post navigation

Malicious advertisements served via Yahoo

Detection of the infection

Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com.

Infection

Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:

blistartoncom.org (192.133.137.59), registered on 1 Jan 2014

slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014

original-filmsonline.com (192.133.137.63)

funnyboobsonline.org (192.133.137.247)

yagerass.org (192.133.137.56)

Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:

boxsdiscussing.net

crisisreverse.net

limitingbeyond.net

and others

All those domains are served from a single IP address: 193.169.245.78. This IP-address appears to be hosted in the Netherlands.

This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:

ZeuS

Andromeda

Dorkbot/Ngrbot

Advertisement clicking malware

Tinba/Zusy

Necurs

The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier.

Schematically the exploit looks like this:

Size

Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300k/hr. Given a typical infection rate of 9% this would result in around 27.000 infections every hour. Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France. At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.

Motivation

It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.

Advice

Block access to the following IP-addresses of the malicious advertisement and the exploit kit:

Block the 192.133.137/24 subnet

Block the 193.169.245/24 subnet

Also closely inspect network traffic for signs of successful exploits for any of the dropped malware.

Yahoo is aware of the issue and looking into it.

Please watch this page for updates.

Update January 3, 1815 (GMT+1): It appears the traffic to the exploit kit has significantly decreased. It looks like Yahoo is taking steps to fix the problem.

Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect.. Does this mean that the users will be redirected when they click on the ad or when the ad is displayed? please clarify..

There have been reports in other major online publications that the user had to click on the advert to get infected. Please, send out a formal statement on this to my email if possible. We were among the first ones to cover this story and our readers are demanding a confirmation on this!

Isn’t it true, correct me if I am wrong, but you MUST have an outdated version of Java installed on the computer in order for the exploit to take place. Then and only then can you be infected by simply visiting the site. I’m not saying I am 100% correct, but I think I am. So if you remove Java, you cannot be exploited, I believe.

@Ravi,
The drive-by did not need to be clicked on. The exploitable version of Java allowed the malware to automatically run. Newer versions of Java required the user to click the advertisement.
@JimmyFal,
The older versions of Java allowed the malware to be run automatically. Newer versions required the user to click the ad.

“exploits vulnerabilities in Java”. Someone please correct me if I am wrong. Java is hugely exploited on computers. If you have Java on your computer, it must be kept up to date in order to be as protected as possible. However Oracle; the creators of Java see fit to exploit innocent people whom are simply trying to update java regularly, by checking boxes for the end user that routinely change the home page of the browser and install the Ask.com toolbar. A scumbag practice no matter how you slice it. The best way to avoid a java exploit is to go to the control panel on your computer, and REMOVE JAVA. You probably do not need it anyway.

What happens, if the Java-Plugin in Firefox is configured, so the user has to specifically confirm the activation of the Plugin, when needed by the Website. My default settings for Firefox are such, that the Runtime needs manual confirmation, while the Java Deployment Toolkit is completely deactivated.
Is an infaction possible this way?